VLANs and bridging

Mark Daniel Reidel mark at removetomailme.reidel.info
Thu Oct 16 02:05:54 PDT 2003 

Hello,

I'm having a network-problem I cannot solve myself and am hoping you 
could point me in the right direction.
I'm currently hosting a lot of computers, all in the same subnet. Since 
there are administrative servers, hosting-servers, ans so on, I want to 
limit access from one logical group to the other. However, the computers 
are at physically totally scattered locations, some in the same rack, 
some not.
It's impossible for me to divide the network into subnets, keep that in 
mind.
My idea was to install several VLANs, each of them holding a group of 
computers, and connecting them via a filtering bridge. So my setup looks 
like this:

+--------+   +--------+   +--------+
| Switch |---| Switch |---| Switch |
+--------+   +--------+   +--------+
  | | | |      | | | |       | | | |
Conputers         |        Computers
                   |
                FreeBSD
                Machine
                   |
                   \-- Internet

The obvious drawback is that all the traffic between the VLANs would 
have to pass through this bridge, but most of the traffic will pass to 
the internet and back, the traffic between the VLANs is not that much 
but nevertheless important.
For testing, I used a FXP-card and did NOT connect the box to the 
internet, just to the switch. The switch was configured to give tagged 
packets to the BSD-machine and non-tagged to all other ports.
I compiled the BRIDGE into the kernel and set up to VLANs to test:

ifconfig fxp0 up
ifconfig vlan1 create
ifconfig vlan2 create
ifconfig vlan1 vlan 1 vlandev fxp0
ifconfig vlan2 vlan 2 vlandev fxp0

The next step was to setup a bridge between vlan1 and vlan2:

sysctl net.link.ether.bridge=1
sysctl net.link.ether.bridge_cfg=vlan1,vlan2

And then: nothing happens. It simply doesn't work. Using tcpdump shows 
me that there are ARP-packets trying to be sent and the bridge seems to 
be forwarding those, but I never get an answer-packet. There was no 
packet-filter active at this moment, so I assume there is a problem with 
bridging VLANs (since bridging fxp0 to rl0 works flawlessly).

My question now is: I've read in some mails that bridging between tagged 
VLANs is currently not working really well. So what am I to do? Is there 
a better solution (besides subnets and using a gateway)? Is there a way 
to make it work? I also read about netgraph bridging but as I 
understand, there's no way to make it filter packets.

Any suggestions or hints?

	- Mark

More information about the freebsd-net mailing list